Observations on articles I read to keep current about technology. My interests are: Privacy, security, business, the computer industry, and geeky stuff that catches my eye.

I don't think I have an agenda beyond my own amusement.

Note that I lump all my comments into a single post. This is not a typical BLOG technique, It's just an indication that I'm lazy.

Saturday, December 28, 2013

How important is it to
get your facts (and the potential risks) correct? Is it better to
say, “I don't have that information in front of me, let me check
and get back to you?” In every “incident” I was involved with
as an Auditor, we started by documenting how data flowed through the
processes involved. Later we could look at each step and the
potential for something inappropriate to happen.

That’s absurd. Just
ask the staff who were using it whether they entered patient data on
it. If they say “Yes, we used it for every radiology patient,”
then you have your answer. You may not know which patients or what
data yet, but at least you’d be able to say whether patient data
was on it or not. Significantly, perhaps, the employee who
reported the theft to the police told them that patient data was on
the computer.

If HHS investigates
this incident, I expect they’ll want to know how it is that after
four days, the hospital couldn’t say whether any patient data were
on a computer. Doesn’t that suggest a lack of inventory or
safeguards at the very least?

A
U.S. judge has concluded that the National Security Agency’s
sweeping collection of telephone data is lawful, rejecting a
challenge by the American Civil Liberties Union to the program.

U.S.
District Judge William Pauley in Manhattan on Friday said there was
no evidence that the government had used any of the so-called “bulk
telephony metadata” it had collected for any reason other than to
investigate and disrupt terrorist attacks.

There’s a lot there
to digest, none of it good news for privacy advocates from the parts
I’ve skimmed so far. Of note, Judge Pauley found that Congress had
ratified the Section 215 program as interpreted by the Executive
Branch when they reauthorized FISA after having the opportunity to
review a classified document that noted that it required the
collection of “substantially all” telephone calls. The judge
noted that not all members of the House had read the document, but
concluded that the Executive branch has fulfilled its obligation by
providing the memo.

So… we have members
of Congress to thank for failing to read what they could have read?
Would they have blocked the reauthorization of FISA had they been
paying more attention?

NEW YORK – A federal
court issued an opinion and order in ACLU v. Clapper, the
ACLU’s challenge to the constitutionality of the NSA’s mass
call-tracking program, ruling that the government’s bulk collection
of phone records is lawful under Section 215 of the Patriot Act and
under the Fourth Amendment. The court denied the plaintiffs’
motion for a preliminary injunction and granted the government’s
motion to dismiss the case. Judge Pauley’s ruling conflicts with
last week’s ruling by a federal judge in Washington, D.C., that the
mass call-tracking program violates the Fourth Amendment. The ACLU
plans to appeal the ruling to the Second Circuit Court of Appeals.

The plaintiffs filed
the lawsuit on June 11, 2013, less than a week after the mass
call-tracking program was revealed by The Guardian newspaper
based on documents obtained from NSA whistleblower Edward Snowden.

“We are extremely
disappointed with this decision, which misinterprets the relevant
statutes, understates the privacy implications of the government’s
surveillance and misapplies a narrow and outdated precedent to read
away core constitutional protections,” said Jameel Jaffer, ACLU
deputy legal director. “As another federal judge and the
president’s own review group concluded last week, the National
Security Agency’s bulk collection of telephony data constitutes a
serious invasion of Americans’ privacy. We intend to appeal and
look forward to making our case in the Second Circuit.”

Why clutter the
intelligence space with useless data? The answer is, they don't! If
there is no evidence that they stopped a terrorist attack, ask what
value they do find in this data? How would you use the data?

Ryan Goodman has a post
on Just Security that is part of an ongoing dialogue* about the
report by the President’s Review Group. Ryan writes:

The
question I consider in this post is whether the Group’s assessment
will, and should, signal the effective demise of the program. I
examine the strongest claims that proponents of the program may still
raise; and I propose some analytic tools for considering the issue of
effectiveness, so that we might all (proponents, opponents, and
others alike) candidly assess this particular program’s potential
security benefits.

“Calculators are an
essential tool to help you evaluate your current financial situation,
and to get you where you want to be in the future. They can tell you
if you are in the “ballpark” for retirement, and help you analyze
fees associated with mutual funds and 529 Plans. Here
are just a few of the tools you’ll find on Investors.gov:

401(k) and
IRA Required Minimum Distribution Calculator: After age
70½, you are generally required to start withdrawing money from
your IRAs and 401(k)s. Find out the minimum amount you’ll need to
withdraw, depending on your age and the value of your accounts.

Compound
Interest Calculator: Find out how much your money can grow,
using the power of compound interest.

Social
Security Retirement Estimator: Get personalized benefit
estimates to help you plan for retirement.

Worksheet
for Determining Your Net Worth: Use this worksheet to list
your assets and debts.

Worksheet
for Tracking Your Income and Expenses: Keeping track of
your income and expenses will help you stay on track with your
financial goals.”

For my students who
read (There are some!) NOTE: I did skip a couple... Load these into
Calibre to organize and move to various devices.

… As you probably
already know, IFTTT
is just the hack you’re looking for. This great automation service
can be used for anything from superpowering
Google Calendar to making
money, and yes, it can also be used to supercharge your eBook
reading. From finding eBook deals to automatically sending articles
to your Kindle, these are all the recipes you need.

This
recipe monitors the Gold Box feed for the “Kindle” keyword, and
emails you only when a relevant deal appears. When using the recipe,
you can change the keyword to anything you want, so if it’s not
Kindle you’re interested in, the recipe is still very useful.

– draws the attention
of people who care about you at times of need, and makes it easier
for them to find you. Create response groups based on locations you
visit frequently, and add people who care about you to each group.
Whenever you don’t feel safe, start SafeSpot.

I can't help thinking
that I could make more money selling individual “How to” lessons
at $1 per, than I could teaching full time.

If you have the time
and inclination to explore a new hobby, prepare a gourmet meal, learn
how to code, or pick up a few health and beauty tips, the online
learning site and mobile app, Curious.com,
offers hundreds of free or low cost video tutorials on a wide range
of topics.

… Each Curious
lesson is broken down into interactive sections with a few
multiple-choice review questions at the end of each lesson. Some
lessons may include PDF handouts, links to other resources, and a
feature for leaving comments and asking questions.

… Curious includes
a Curious
Lesson Builder platform for creating lessons, and uploading video
content to the site. Instructors get their own individual web page
(www.curious.com/yourbrand), and for paid lessons, teachers
receive 70% and Curious gets 30% of the paid tuition. Lessons can
easily be shared to social networks, and all uploaded content remains
non-exclusive and owned by the instructors.

… A
judge has ruled that Sherlock Holmes (and the
other characters and elements of Arthur Conan Doyle’s series) is no
longer covered by US copyright law and is now in the public domain.

… A
judge has ruled that the Douglas
County (Colorado)
school district “violated the state’s Fair Campaign Practices Act
when it hired Rick Hess to author a positive report
about school reforms that it later e-mailed to 85,000 subscribers in
the weeks before the November election.” All’s fair in

Friday, December 27, 2013

Alan
Dershowitz rips Edward Snowden: ‘We have an absolute right’ to
spy on other countries

… In particular,
Dershwoitz slammed Snowden for bringing to light the agency’s
surveillance activities against other countries, saying they “raise
some questions, but [were] not unconstitutional.

“We have an absolute
right under our Constitution to listen to the prime minister of
Israel, to listen to the chancellor of Germany,” Dershowitz said.
“That is not a constitutional issue, and yet he disclosed — or
people working on his behalf — the fact that we are using
surveillance abroad, outside the country, where the Constitution does
not apply.”

Interesting. Are we
back to the same “anti-Iran” agreements we had before Sadam
invaded Kuwait?

U.S.
sending missiles and surveillance drones to Iraq to help combat
Al-Qaeda-backed violence: NYT

The United States is
sending Iraq dozens of missiles and surveillance drones to help it
combat a recent surge in Al-Qaeda-backed violence, the New York Times
reported on Thursday.

The weapons include a
shipment of 75 Hellfire missiles purchased by Iraq, which Washington
delivered to the country last week, the Times reported.

The daily wrote that 10
ScanEagle reconnaissance drones — smaller versions of the larger
Predator drones that once were frequently flown over Iraq — are
expected to be sent by March. [Meanwhile, they can
hand deliver the missiles Bob]

Sources say that
SoftBank will make a $19 billion bid for 70 percent of T-Mobile.

On Wednesday, the
Nikkei news agency cited
unnamed sources who said that SoftBank, the company that owns a
majority of Sprint, was “in the final stages of talks with
T-Mobile's German parent, Deutsche Telekom.” News of a merger
between Sprint and T-Mobile hit in
early December, with the Wall Street Journal reporting
that Sprint’s parent company was wary of trying to merge with
T-Mobile like AT&T had years earlier, only to see its efforts
thwarted by the Department of Justice and the Federal Communications
Commission.

I'm not sure my
students plan over much, but if they do, this looks interesting.

– Convert your
Basecamp Project, Google Calendar or Trello Board to a Gantt Chart.
Explain your plans to others using one simple chart. See how all
your activities relate in time and find bottlenecks in a matter of
seconds. It is free and there is no need to register.

… Ganttify is
provided to you by Tom's Planner. Tom's Planner is
an online Project Planning tool used by more than 150k
users worldwide.

“The Digital
Attack Map is a live data visualization of DDoS attacks around
the globe, built through a collaboration between Google
Ideas and Arbor
Networks. The tool surfaces anonymous attack traffic data to let
users explore historic trends and find reports of outages happening
on a given day.”

A
recent case, United
States v. Young (D. Utah, December 17, 2013) (Campbell, J.),
touches on a novel, interesting, and quite important question of
Fourth Amendment law: Assuming that e-mail account-holders generally
have Fourth Amendment rights in the contents of their e-mails, as
courts have so far held, when does a person’s
Fourth Amendment rights in copies of sent e-mails lose Fourth
Amendment protection?

To
understand the question, consider Fourth Amendment rights in postal
letters. Before a letter is sent, only the sender has rights in the
letter; during transmission, both the sender and recipient have
rights in the letter; and once the letter is delivered at its
destination, the recipient maintains Fourth Amendment rights but the
sender’s rights expires. But how do you apply this to an e-mail?
By analogy, a sender loses Fourth Amendment rights in the copy of the
e-mail that the recipient has downloaded to his personal computer or
cell phone. But does the sender have Fourth Amendment rights in the
copy of the e-mail stored on the recipient’s server after the
recipient has accessed the copy? And does the sender have Fourth
Amendment rights in the copy of the e-mail stored on the recipient’s
server before the recipient has accessed the copy? At what
point does the sender’s Fourth Amendment rights in the sent copy
expire?

Hotels don't have to,
but they can. All that suggests is that hotels could sell the data
to anyone who wanted it. (Police, paparazzi, divorce lawyers)
Perhaps asking police to pay for records would limit the gathering?

While
federal courts in New York and Washington mull
the constitutionality of the National Security Agency’s bulk
collection of phone records, a panel of judges in California has
answered another weighty Fourth Amendment question: Do we have an
expectation of privacy in our hotel guest records?

No,
we do not, the Ninth U.S. Circuit Court of Appeals ruled Tuesday.

But
hotels do have an interest in keeping their records private, and so,
in a gift to privacy advocates, the
appeals court struck down a Los Angeles ordinance that required
operators to produce information about their guests to police
officers, upon request, without a warrant. The information included
a guest’s name and address, the number of people in the party,
vehicle information, arrival and checkout dates, rooms number and
method of payment.

I’m glad we got
something, but I still detest the third party doctrine that says we
lose our expectation of privacy by turning over our information to a
business. The business has a property
interest/privacy expectation, but we don’t. That needs
to change.

(Related) Not sure I
agree that gathering “suspicious activity reports” is ever a bad
idea. It's what happes after the tip that could be a waste of time.

“Gaps in
local-federal intelligence sharing systems jeopardize national
security investigations and threaten Americans’ civil liberties,
according to a new Brennan Center report. National
Security and Local Police, the most comprehensive survey of
counterterrorism policing since 9/11, finds that police are operating
without adequate standards and oversight mechanisms, routinely
amassing mountains of data – including personal information about
law-abiding Americans – with little
or no counterterrorism value. The Brennan Center’s
findings are based on dozens of freedom of information requests, in
addition to surveys and interviews with police departments, Joint
Terrorism Task Forces, and data sharing centers nationwide. The
Brennan Center’s new report shows how the lack of consistency and
oversight in local counterterrorism programs directs resources
away from traditional police work, violates individual liberties,
undermines community-police relations, and causes important
counterterrorism information to fall through the cracks. The Boston
Marathon bombing exemplifies how critical information can get lost in
a din of irrelevant data.”

My interest in how
poorly the “Music Industry” (actually music labels) has
incorporated technology is matched by how smart individual bands seem
to be... Note that this makes no money for the music label, only for
the band itself.

How
Iron Maiden found its worst music pirates -- then went and played for
them

… A U.K. company
called Growth
Intelligence aggregates data on U.K. companies to offer them a
real time snapshot of how their company is performing. They capture
everything from real-world data, like hiring of employees, to online
indicators like email to online discussion.

Its stats were compiled
for the London Stock Exchange "1000
Companies That Inspire Britain" list. On that list were six
music firms that outperformed the music sector, one of them being
Iron Maiden LLP, the holding company for the venerable heavy metal
band.

… Enter another
U.K. company called Musicmetric,
which specializes in analytics for the music industry by capturing
everything from social media discussion to traffic on the BitTorrent
network. It then offers this aggregated information to artists to
decide how they want to react. Musicmetric noticed Iron Maiden's
placement and ran its own analytics for the band.

… In the case of
Iron Maiden, still a top-drawing band in the U.S. and Europe after
thirty years, it noted a surge in traffic in South America. Also, it
saw that Brazil, Venezuela, Mexico, Colombia, and Chile were among
the top 10 countries with the most Iron Maiden Twitter followers.
There was also a huge amount of BitTorrent traffic in South America,
particularly in Brazil.

Rather than send in the
lawyers, Maiden sent itself in. The band has focused extensively on
South American tours in recent years, one of which was filmed for the
documentary "Flight 666." After all, fans can't download a
concert or t-shirts. The result was massive sellouts. The São
Paolo show alone grossed £1.58 million (US$2.58 million).

And in a positive
cycle, Maiden's online fanbase grew. According to Musicmetric, in
the 12 months ending May 31, 2012, the band attracted more than 3.1
million social media fans. After its Maiden England world tour,
which ran from June 2012 to October 2013, Maiden's fan base grew by
five million online fans, with a significant increase in popularity
in South America.

A real exercise for my
Computer Security students. If you really want to understand your
“Internet footprint” this will help.

Wednesday, December 25, 2013

It's that time of year
again. Rather than a heartfelt “Bah, Humbug!” allow me to offer
you..

POLITICALLY
CORRECT SEASONS GREETINGS

Please accept with no
obligation, implied or implicit, our best wishes for an
environmentally conscious, socially responsible, low stress,
non-addictive, gender neutral, celebration of the northern hemisphere
winter solstice, practiced within the most enjoyable traditions of
the religious persuasion of your choice, or secular practice of your
choice, with respect for the religious/secular persuasions and/or
traditions of others, or their choice not to practice religious or
secular traditions at all. And a fiscally successful, personally
fulfilling and medically uncomplicated recognition of the generally
accepted calendar year 2014, but not without due respect for the
calendars of choice of other cultures whose contributions to society
have helped make our country great, and without regard to the race,
creed, color, age, physical ability, religious faith, sexual
orientation or choice of computer platform and operating system of
the wishee.

By accepting this
greeting, you are accepting these terms:

1.
The greeting is subject to clarification or withdrawal.

2.
It is freely transferable with no alteration the original greeting.

3.
It implies no promise by the wisher to actually implement any of the
wishes for her/himself or others.

4.
It is void where prohibited by law, and

5.
It is revocable at the sole discretion of the wisher.

This wish is warranted
to perform as expected with the usual application of good tidings for
a period of one year or until the issuance of a subsequent holiday
greeting, whichever comes first, and warranty is limited to
replacement of this wish or issuance of a new wish at the sole
discretion of the wisher.

[This
is what happens when you hang out with lawyers. Bob]

Let me repeat. You
really don't need to know the names to establish that “Known
Terrorist #402” is repeatedly calling a cell phone in New Jersey
and that cell phone is then calling three other phones.

“You have my
telephone number connecting with your telephone number,” explained
President Obama in a PBS
interview. “[T]here are no names . . . in that database.”
Versions of this argument have appeared frequently in debates over
the NSA’s domestic phone metadata program. The factual premise is
that the NSA only compels disclosure of numbers, not names.
One might conclude, then, that there isn’t much cause for privacy
concern. This line of reasoning has drawn sharp criticism. In a
declaration
for the ACLU, Ed Felten noted:

“Although
officials have insisted that the orders issued under the telephony
metadata program do not compel the production of customers’ names,
it would be trivial for the government to correlate many telephone
numbers with subscriber names using publicly available sources. The
government also has available to it a number of legal tools to compel
service providers to produce their customer’s information,
including their names.”

The
Government maintains that the metadata the NSA collects does not
contain personal identifying information associated with each phone
number, and in order to get that information the FBI must issue a
national security letter (“NSL”) to the phone company. . . . Of
course, NSLs do not require any judicial oversight . . .
meaning they are hardly a check on potential abuses of the metadata
collection. There is also nothing stopping the Government from
skipping the NSL step altogether and using public databases or any of
its other vast resources to match phone numbers with subscribers.

(Senator Dianne
Feinstein issued a statement
in response, reiterating that “no names” are coerced from the
phone companies in bulk.)

So,
just how easy is it to identify a phone number? Trivial, we found.
We randomly sampled 5,000 numbers from our crowdsourced
MetaPhone dataset and queried the Yelp, Google Places, and
Facebook directories. With little marginal effort and just those
three sources—all free and public—we matched 1,356 (27.1%) of the
numbers. Specifically, there were 378 hits (7.6%) on Yelp, 684
(13.7%) on Google Places, and 618 (12.3%) on Facebook. What about if
an organization were willing to put in some manpower? To
conservatively approximate human analysis, we randomly sampled 100
numbers from our dataset, then ran Google searches on each. In under
an hour, we were able to associate an individual or a business with
60 of the 100 numbers. When we added in our three initial sources,
we were up to 73. How about if money were no object? We don’t
have the budget or credentials to access a premium data aggregator,
so we ran our 100 numbers with Intelius, a cheap consumer-oriented
service. 74 matched. [The results we obtained from Intelius were
seemingly spottier than from Yelp, Google Places, and Facebook.]
Between Intelius, Google search, and our three initial sources, we
associated a name with 91 of the 100 numbers. If a few academic
researchers can get this far this quickly, it’s difficult to
believe the NSA would have any trouble identifying the overwhelming
majority of American phone numbers.”

Is buying data stolen
from an individual (or an organization that individual deals with) a
Fourth Amendment violation? I would say it was clearly unethical,
yet we see it a lot. Both Germany and France paid for stolen Swiss
banking records, for example.

Major
League Baseball, in its zeal to nail A-Rod and other accused juicers,
paid thousands for stolen medical records.

Not
that we don’t relish the prospect of overpaid jocks getting their
comeuppance, but there’s a small problem with trafficking in stolen
property. It’s stolen.

Florida
law’s not fuzzy about the legality of “dealing in stolen
property.” A state statute puts it bluntly. “Any person who
traffics in, or endeavors to traffic in, property that he or she
knows or should know was stolen shall be guilty of a felony of the
second degree.”

The
legislature, in writing the statute, failed to include an exception
for Major League Baseball. No worries. It has become apparent, as
this latest baseball doping scandal unfolded, that MLB investigators
are allowed to operate beyond legal restraints that hamper less
exalted elements of society.

… The most recent
standout in the class of “vaporgoods” is Coin,
which straddles the divide between software and hardware. If you
haven’t seen the promos yet, Coin is a new device that aggregates
all of your information from credit, debit, and even loyalty cards
and can be swiped just like a regular credit card. Coin’s makers
first launched a $50,000 crowdfunding campaign and, after
hitting their goal inside of 40 minutes, are continuing to take
pre-orders at half the future retail price. It’s unknown how
many units of the device have now been pre-sold. However, the real
success isn’t in the amount of cash Coin raises; it’s that the
minds behind Coin have proven there’s a market demand for
their product using the only research method that counts: the market
itself.

This could be very
handy for my next book. (My next one will be my first) Also for my
website students.

– is a free converter
tool for documents produced by Microsoft Word and similar office
software. Word to clean HTML strips out invalid or proprietary tags,
leaving clean HTML behind for use in webpages and
eBooks. Simply paste your text into the box then click
the “convert to clean HTML” button.

Tuesday, December 24, 2013

Something my Ethical
Hackers should consider. Will we look back at Syria as the first
true “Digital Battlefield,” even though it is very one sided
(that we can prove) and targeted at non-combatants as well as the
“rebels.” No violation of the “laws of war” (Is it?) but how
do you counter?

“More than two years
into the Syrian conflict, the violence continues both on the ground
and in the digital realm. Just as human rights investigators and
weapons inspectors search for evidence of chemical weapons, EFF, and
the University of Toronto’s Citizen
Lab have been collecting, dissecting, and documenting malicious
software deployed against the Syrian opposition. Citizen Lab
security researchers Morgan Marquis-Boire and John Scott-Railton and
EFF Global Policy Analyst Eva Galperin today published their latest
technical paper, Quantum
of Surveillance: Familiar Actors and Possible False Flags in Syrian
Malware Campaigns. The report outlines how pro-government
attackers have targeted the opposition, as well as
NGO workers and journalists, with social engineering and
“Remote Access Tools” (RAT).”

I’ve
written this post for two reasons. First, the recent Target breach
has led to some confusion, which I will try to clear up here.
Second, I wanted to create an easily referenced educational
resource on how credit cards are designed to work. I’m hoping
this will help people understand the intricacies of credit card fraud
and how some credit card features attempt to limit it.

Here
is the TL;DR version: CVV codes were compromised and should not be
stored post-authorization, but the CVV codes compromised are not
the codes printed on the card that we get asked for when making
online purchases. There are actually two separate security
codes: one to prove possession of the card when it is swiped
(stored on the magnetic strip) and another printed on the card, to
prove possession of the card when it is used in card-not-present
transactions, like e-commerce or over the phone. The same value is
not used for both codes.

Based on what we know
about the breach, it sounds like track data was either potentially
stored by Target (against PCI DSS rules), was captured in transit or
was captured pre-authorization (PCI says you can’t store track data
after authorization). If full track data was
compromised, the primary threat of consumer fraud from this breach
will be for stolen data to be copied to fake credit cards and used
in-person.

What
harms are privacy laws designed to prevent? How are people injured
when corporations, governments, or other individuals collect,
disclose, or use information about them in ways that defy
expectations, prior agreements, formal rules, or settled norms? How
has technology changed the nature of privacy harm?

These
questions loom large in debates over privacy law. Often, they are
answered skeptically. The President of the United States justifies
massive NSA surveillance programs by arguing that non-content
surveillance is not very harmful. Advertisers resist calls for
aggressive forms of Do Not Track by arguing that the way they track
online behavior creates little risk of harm. Judges dismiss lawsuits
brought by users suing services that suffer massive data breaches,
for lack of harm.

Meanwhile,
many privacy law scholars and advocates do not speak consistently, if
they speak at all, about privacy harm. Some prefer to talk about
“problems” or “conflicts” not harms. Others point primarily
to abstract, societal harms such as chilling effects or harms to
dignity or individual autonomy. Many of these people have tried to
move the conversation away from harm and what they see as crabbed,
tort-centric approaches to privacy protection.

It
is time to revisit old conversations about harm. New
practices and technologies raise new threats of harm. [Or
automate existing ones? Bob] The fear of Big Data
techniques (for example in the public debate over the pregnancy
prediction program of the retailer Target) have inspired new theories
of harm. Economists and computer scientists have developed new ways
of measuring privacy harm. Regulators have adopted new ways of
talking about harm.

Join
the Silicon Flatirons Center for Law, Technology, and
Entrepreneurship on Friday, January 17, 2014, from 9:00 AM – 4:15
PM as we venture into the New Frontiers of Privacy Harm. We will
assemble thought leaders and top practitioners and regulators for a
diverse and rich set of conversations about privacy harm.

You can see the great
line-up of presenters and discussants, and access the day’s
schedule here.

As
online social media grow, it is increasingly important to distinguish
between the different threats to privacy that arise from the
conversion of our social interactions into data. One
well-recognized threat is from the robust concentrations of
electronic information aggregated into colossal databases. Yet
much of this same information is also consumed socially and dispersed
through a user interface to hundreds, if not thousands, of peer
users.

In
order to distinguish relationally shared information from the threat
of the electronic database, this essay identifies the massive amounts
of personal information shared via the user interface of social
technologies as “social data.” The main thesis of this essay
is that, unlike electronic databases, which are the focus of the Fair
Information Practice Principles (FIPPs), there are no commonly
accepted principles to guide the recent explosion of voluntarily
adopted practices, industry codes, and laws that address social data.

This
essay aims to remedy that by proposing three social data principles —
a sort of FIPPs for the front-end of social media: the Boundary
Regulation Principle, the Identity Integrity Principle, and the
Network Integrity Principle. These principles can help courts,
policymakers, and organizations create more consistent and effective
rules regarding the use of social data.

You can download the
full article from SSRN.
You may also wish to see the other articles in the same
issue of the Ohio State Law Journal

I doubt most people
even think about why privacy is of concern to magazines like Forbes.

Forget
“twerking” and “selfies.” Dictionary.com dubbed “privacy”
the
word of the year in 2013. Here at The Not-So Private Parts,
it feels a little like the unknown indie band we’ve been obsessed
with for years just won best album at the Grammys. So why did the
plight of our personal data achieve Arcade Fire-level fame this year?

When
asked to choose which is more important to them, protecting their
personal information online or protecting their online behavior,
respondents to a recent survey said hacking is a bigger concern than
tracking.

Some
75 percent of those surveyed said they are worried about hackers
stealing their personal information, while 54 percent are worried
about their browsing history being tracked by advertisers.

Nearly
all hospitals with EHR technology had RTI-recommended audit functions
in place, but they may not be using them to their full extent.
In addition, all hospitals employed a variety of RTI-recommended
user authorization and access controls. Nearly all hospitals were
using RTI-recommended data transfer safeguards. Almost half of
hospitals had begun implementing RTI-recommended tools to include
patient involvement in anti-fraud efforts. Finally, only about one
quarter of hospitals had policies regarding the use of the copy-paste
feature in EHR technology, which, if used improperly, could pose a
fraud vulnerability.

WHAT
WE RECOMMEND

We
recommend that audit logs be operational whenever EHR technology
is available for updates or viewing. We also recommend that ONC and
CMS strengthen their collaborative efforts to develop a comprehensive
plan to address fraud vulnerabilities in EHRs. Finally, we recommend
that CMS develop guidance on the use of the copy-paste feature in EHR
technology. CMS and ONC concurred with all of our recommendations.

Just under three weeks
ago now, I
launched Have I been pwned? which could tell you if you owned one
of 154 million email addresses that had been caught up in recent
data breaches. Subsequently, the site turned
out to be wildly popular and as with such things, a lot of good
ideas came up in terms of features people would like to see.

Without doubt, the
number one request was for notifications. Searching for accounts
that may have been pwned up to the current date is one thing, but the
real value is in being automatically notified when you get
pwned in the future. So I built it – oh and I’ve
made it a free service.

Signing up for
notifications

Let me talk you through
it: First of all, jump over to haveibeenpwned.com
and search for your email address. You can always just hit the
“Notify me” link in the nav but I suspect most people will want
to kick off by looking at whether they’ve already been compromised.

This is pretty much
business as usual, except now you’ve got a “Notify me if my
address gets pwned in the future” hyperlink just above the social
media icons. Click that guy and you’ll get a little window:

I like lists like this,
because I always try to steal learn from the best!
Many more blogs listed at the site.

… The learning
opportunity comes into play when you don’t already understand
something you encounter in the packet capture file. You are expected
to do your own research to understand the artifact well enough to
explain it in your response. Given that this year’s scenario is
based on a virtual city’s critical infrastructure, Skoudis says
there will be some protocols that network professionals probably
aren’t familiar with. It’s a chance to stretch your knowledge a
bit and build some in-demand skills in a fun way.

Since this is the 10th
year for the competition, some of the previous years’ challenges
and answers are posted online.

… For a look at the
2012 Holiday Hacking Challenge and the winning and honorable mention
responses, click
here.

… He reassured
shoppers that they will not be held financially responsible for any
credit card or debt card fraud. Target will contact customers who
are eligible for the credit monitoring "soon," he said.

Section 8, subsection
4, page 81, paragraph 41, line 16, micro-line 58, and I quote:
“Whereas and who-as and when-as the party of the twenty-second part
did authorize, condone and allow by use of the data of party two, we
herewith, hereby and hereto declare, 'You ain''t got no privacy!'
Welcome to California.”

On
January 1, 2014, California
Assembly Bill 370 will go into effect,
requiring operators of websites and other online services, including
mobile applications, to provide
new disclosures in their website privacy policies about online
tracking. Operators will be required to
disclose whether third parties collect certain information about
California residents over time and across different websites when
those residents use the operators’ sites and services. The law
also requires that operators disclose how they respond to
do-not-track signals or other mechanisms designed to provide
consumers with choices relating to such activities. Although the
law is limited to online services directed to California,
it provides a de facto national standard for websites that do not
provide separate privacy disclosures based on location.

The
Texas Health Services Authority (THSA) recently announced its
selection of the Health Information Trust Alliance (HITRUST) Common
Security Framework (CSF), the most widely adopted information privacy
and security framework in the U.S. healthcare industry, to form the
basis of the Texas Covered Entity Privacy and Security Certification
Program, setting the stage for Texas to become the first state in the
nation to implement a formal certification program that incorporates
state and federal privacy and security regulations, including HIPAA
and the Texas Medical Records Privacy Act (TMRPA).

HB 300 also amended
the TMRPA to include a list of mitigating factors Texas courts
must consider in determining the appropriate penalty for a covered
entity that violates the TMRPA, including its compliance history and
whether it was certified at the time of the violation.

Big Data. I find these
amusing. After carefully reading all 8 pages, I'd like to buy a
vowel.

“We constructed a
corpus of digitized texts containing about 4% of all books ever
printed. Analysis of this corpus enables us to investigate
cultural trends quantitatively. We survey the vast terrain of
‘culturomics,’ focusing on linguistic and cultural phenomena that
were reflected in the English language between 1800 and 2000. We show
how this approach can provide insights about fields as diverse as
lexicography, the evolution of grammar, collective memory, the
adoption of technology, the pursuit of fame, censorship, and
historical epidemiology. Culturomics extends the boundaries of
rigorous quantitative inquiry to a wide array of new phenomena
spanning the social sciences and the humanities.”

– When your eyes get
tired and you start feeling the eye strain, but still have some work
to do, use the Exercises For Eyes. Regular eye exercises can help
you to improve eyesight and prevent eye diseases such as
nearsightedness and farsightedness. Follow the instruction step by
step making twenty-second breaks between exercises.

San Francisco – U.S.
government intelligence officials late last night released
some previously secret declarations submitted to the court in Jewel
v. NSA – EFF’s long-running case challenging the NSA’s
domestic surveillance program – plus a companion case, Shubert
v. Obama. The documents were released pursuant to the
court’s order.

Surprisingly, in these
documents and in the brief
filed with them, the government continues to claim
that plaintiffs cannot prove they were surveilled without state
secrets and that therefore, a court cannot rule on the legality or
constitutionality of the surveillance. For example,
despite the fact that these activities are discussed every day in
news outlets around the world and even in the president’s recent
press conference, the government states broadly that information that
may relate to Plaintiffs’ claims that the “NSA indiscriminately
intercepts the content of communications, and their claims regarding
the NSA’s bulk collection of … metadata” is still a state
secret.

… The newly
released declarations are the first time the government has
declassified a description of the origins and history of the NSA’s
illegal and unconstitutional surveillance programs. However, these
declarations – and the reissued state secrets claims – represent
only a very slight shift in the government’s tactics in this case.

… Earlier this
week, a Washington D.C. federal court judge ruled
that NSA telephone records collection was “probably
unconstitutional” in DC federal court. In July, based on documents
filed before the Snowden revelations, the judge in the Jewel v.
NSAruled
against the government’s state secrets claims. Now we look
forward to the California federal court finally ruling on the
legality of the “upstream”
interception of internet content and the telephone records program.

Even a brief reading
leaves me with many questions, but again it could just be poor
writing. If one file could have multiple links (a technique to avoid
duplication) a request to delete an “infringing” link should not
automatically delete the file and all legitimate links, yet that
seems to be what the FBI (MPAA?) expects. (and that's only page 3!)

Kim Dotcom's legal team
have been left furious after the United States skirted local court
suppressions to release what they say is a "cherry-picked"
summary of their case against the piracy-accused.

A detailed summary of
the evidence against the Megaupload founder was made public in the US
yesterday for the first time since the case began almost two years
ago.

The evidence is
suppressed in New Zealand by way of a ruling from Judge David Harvey
made in the early stages of the court process against Dotcom.

The Sunday Star-Times
understands Dotcom's legal team wanted it to remain secret until
trial to give their client a fair chance, as they
have not been given access to the documents the summary is based on,
and believe the US account is one-sided and could create prejudice.

However, the FBI sought
leave from a court in Virginia to release what it says is a "new"
summary of the evidence to allow alleged victims to come forward and
make claims against the estimated $80 million seized from the
company.

A US judge ruled the
documents could be "unsealed" on Friday, despite the
ongoing New Zealand suppression.

… So far, Dotcom
has had several victories against prosecutors, including rulings that
searches at his home breached the law, and that he was spied on
illegally by the Government Communications Security Bureau.

His lawyers have
repeatedly accused the US of a heavy-handed approach against him,
backed by movie moguls and politicians rather than legitimate legal
grounds.

… "The DOJ
release today is made up of ‘recycled allegations' that don't point
to criminal copyright infringement," he said. Rothken had filed
an application fighting the summary's release, but he was not heard
in court.

is a free
text-to-speech plugin for Microsoft Word that creates audio files
from any document written in Word. It can speak the text of the
document and highlight as it goes, enabling visually impaired users
to read documents online. It also offers a number of programmable
keyboard shortcuts, helping many types of users (for example,
students who have trouble holding a mouse) to have an adapted, useful
device. It is also great for students with reading difficulties, who
may benefit from both reading and hearing the text they’re working
with.

I don't assign a lot of
papers in my Math classes, but I'll save this for my next Computer
Security students.

“In a survey of
Advanced Placement and National Writing Project teachers, a majority
say digital tools encourage students to be more invested in their
writing by encouraging personal expression and providing a wider
audience for their work. Most also say digital tools make teaching
writing easier, despite an increasingly ambiguous line between formal
and informal writing and students’ poor
understanding of issues such as plagiarism and fair use.” [We
have an App for that. Bob]

Links

About Me

I live in Centennial Colorado. (I'm not actually 100 years old., but I hope to be some day.) I'm an independant computer consultant, specializing in solving problems that traditional IT personnel tend to have difficulty with... That includes everything from inventorying hardware & software, to converting systems & data, to training end-users. I particularly enjoy taking on projects that IT has attempted several times before with no success. I also teach at two local Universities: everything from Introduction to Microcomputers through Business Continuity and Security Management. My background includes IT Audit, Computer Security, and a variety of unique IT projects.